On Fri, 9 Aug 2013, Bernard Robertson-Dunn wrote: > Sysadmins can only get at data that is viewable with "common" programs > e.g. data in files with .txt .docx .wri type extensions. > > If the data are held in an application and can only be accessed via that > application, then sysdamins can't get at the data - they need > application level access.
The sysadmin responsible for managing the application will have privileged access. The sysadmin responsible for the operating system can likely access the application data outside of the security model imposed by the application. This may mean direct database access or accessing files on the filesystem. This access is often not audited and even if it is the sysadmin is often quite capable of hiding their tracks well. Sysadmins with access to the backup system can grab the data from there. There are approaches that can be taken to limit this sort of behaviour but they generally take a level of effort and discipline I've rarely seen in organisations. > It is quite possible and relatively easy to arrange access such that > sysadmins can't see or copy data and people who can see and change data > can't do things to the system. I don't agree that it is easy to all. Siloing can be used to restrict access but it tends to be an expensive and cumbersome approach - so much so that most organisation don't use it at all, even many that should. Cheers, Rob -- Email: rob...@timetraveller.org Linux counter ID #16440 IRC: Solver (OFTC & Freenode) Web: http://www.pracops.com Director, Software in the Public Interest (http://spi-inc.org/) Information is a gas _______________________________________________ Link mailing list Link@mailman.anu.edu.au http://mailman.anu.edu.au/mailman/listinfo/link
